Versions < 4.2.5-68.el7_5.1 of the DHCP client packages in Red Hat Enterprise Linux 6/7 are vulnerable to arbitrary command injection. An attacker on the local network could use this flaw to achieve root RCE by spoofing DHCP responses.
- The vulnerable Red Hat server broadcasts a DHCP request.
- The attacker replies with a DHCP ACK containing a command injected into the Proxy Autodiscovery DHCP option.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The option exists to remove or disable the vulnerable script, however, this will prevent certain configuration parameters being provided on a local system and is inadvisable.
The vulnerability in question has been addressed and resolved by the vendor. The DHCP packages should be updated to the latest available versions as soon as possible.